Use the Conformity Knowledge Base AI to help improve your Cloud Posture

RDS Encrypted With KMS Customer Master Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-005

Ensure that your Amazon RDS database instances are using customer-provided Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by Amazon RDS when there are no customer keys available), in order to have a fine-grained control over Amazon RDS database encryption and decryption process.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you create and use your own customer-provided Customer Master Keys (CMKs) to protect Amazon RDS database instances, you gain full control over who can use the keys and access the data encrypted on these instances (including any automated backups, Read-Replicas, and snapshots created from the instances). The Amazon KMS service allows you to create, rotate, disable, enable, and audit CMK encryption keys for RDS instances.

Note: RDS encryption with Amazon KMS customer-managed keys is not available for all database instance types. The instance types that are currently supporting encryption are: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge.


Audit

To determine if your Amazon RDS database instances are encrypted with customer-provided Customer Master Keys, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the Amazon RDS database instance that you want to examine. To identify RDS database instances, check the database role available in the Role column (i.e. Instance).

05 Select the Configuration tab and check the Encryption attribute value. If the Encryption value is set to Not enabled, the encryption of data at rest is not enabled for the selected database instance. Follow the instructions outlined in this conformity rule to enable encryption for the selected RDS instance. If the Encryption value is set to Enabled and the AWS KMS key attribute value is set to aws/rds, the selected Amazon RDS database instance is not encrypted with a customer-provided Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS database instances provisioned in the selected AWS region:

aws rds describe-db-instances
  --region us-east-1
  --output table
  --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database instance names:

--------------------------------
|     DescribeDBInstances      |
+------------------------------+
|  cc-project5-mysql-database  |
|  cc-prod-postgres-database   |
+------------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Amazon RDS database instance that you want to examine as the identifier parameter and custom query filters to determine if the selected database instance is encrypted at rest:

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --query 'DBInstances[*].{"StorageEncrypted":StorageEncrypted,"KmsKeyId":KmsKeyId}'

04 The command output should expose the instance encryption status:

  1. If the describe-db-instances command output returns false for the "StorageEncrypted" attribute, as shown in the output example below, the encryption of data at rest is not enabled for the selected database instance, therefore the Audit process ends here. You can follow the instructions outlined in this conformity rule to enable encryption for the selected RDS instance:
    [
        {
            "StorageEncrypted": false,
            "KmsKeyId": null
        }
    ]
    
  2. If the describe-db-instances command output returns true for the "StorageEncrypted" attribute, as shown in the output example below, the encryption of data at rest is enabled for the selected database instance, therefore you can continue the Audit process with the next step:
    [
        {
            "StorageEncrypted": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
        }
    ]
    

05 If the describe-db-instances command output returns false for the "StorageEncrypted" attribute, as shown in the output example below, the encryption of data at rest is not enabled for the selected database instance, therefore the Audit process ends here. You can follow the instructions outlined in this conformity rule to enable encryption for the selected RDS instance:

[
	{
		"StorageEncrypted": false,
		"KmsKeyId": null
	}
]

06 If the describe-db-instances command output returns true for the "StorageEncrypted" attribute, as shown in the output example below, the encryption of data at rest is enabled for the selected database instance, therefore you can continue the Audit process with the next step:

[
	{
		"StorageEncrypted": true,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
	}
]

07 Run describe-key command (OSX/Linux/UNIX) using the ARN of the KMS key returned at the previous step as the identifier parameter and custom query filters to describe manager of the specified key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

08 The command output should the encryption key manager ("AWS" if the default key is AWS-managed and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the output example above, the selected Amazon RDS database instance is not encrypted with a customer-provided Customer Master Key (CMK).

09 Repeat steps no. 3 – 6 for each Amazon RDS database instance available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable encryption at rest for your Amazon RDS database instances using customer-managed Customer Master Keys (CMKs), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Encryption at Rest with Customer-Provided CMKs",
	"Parameters": {
		"DBInstanceName": {
			"Default": "mysql-database-instance",
			"Description": "RDS database instance name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"DBInstanceClass": {
				"Default": "db.t2.small",
				"Description": "DB instance class/type",
				"Type": "String",
				"ConstraintDescription": "Must provide a valid DB instance type."
		},
		"DBAllocatedStorage": {
			"Default": "20",
			"Description": "The size of the database (GiB)",
			"Type": "Number",
			"MinValue": "20",
			"MaxValue": "65536",
			"ConstraintDescription": "Must be between 20 and 65536 GiB."
		},
		"DBName": {
			"Default": "mysqldb",
			"Description": "Database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RDSInstance": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"DBInstanceIdentifier": {
					"Ref": "DBInstanceName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"DBInstanceClass": {
					"Ref": "DBInstanceClass"
				},
				"AllocatedStorage": {
					"Ref": "DBAllocatedStorage"
				},
				"Engine": "MySQL",
				"EngineVersion": "5.7.36",
				"StorageEncrypted": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Encryption at Rest with Customer-Provided CMKs
	Parameters:
		DBInstanceName:
		Default: mysql-database-instance
		Description: RDS database instance name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
			or contain two consecutive hyphens.
		DBInstanceClass:
		Default: db.t2.small
		Description: DB instance class/type
		Type: String
		ConstraintDescription: Must provide a valid DB instance type.
		DBAllocatedStorage:
		Default: '20'
		Description: The size of the database (GiB)
		Type: Number
		MinValue: '20'
		MaxValue: '65536'
		ConstraintDescription: Must be between 20 and 65536 GiB.
		DBName:
		Default: mysqldb
		Description: Database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBUsername:
		Description: Master username for database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBPassword:
		NoEcho: 'true'
		Description: Password for database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
		RDSInstance:
		Type: AWS::RDS::DBInstance
		Properties:
			DBInstanceIdentifier: !Ref 'DBInstanceName'
			DBName: !Ref 'DBName'
			MasterUsername: !Ref 'DBUsername'
			MasterUserPassword: !Ref 'DBPassword'
			DBInstanceClass: !Ref 'DBInstanceClass'
			AllocatedStorage: !Ref 'DBAllocatedStorage'
			Engine: MySQL
			EngineVersion: 5.7.36
			StorageEncrypted: true
			KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

Using Terraform

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage         = 20
	engine                    = "mysql"
	engine_version            = "5.7"
	instance_class            = "db.t2.small"
	name                      = "mysqldb"
	username                  = "ccmysqluser01"
	password                  = "ccmysqluserpwd"
	parameter_group_name      = "default.mysql5.7"
	final_snapshot_identifier = "rds-database-instance-snapshot"

	# Enable Encryption at Rest with Customer-Provided CMKs
	storage_encrypted = true
	kms_key_id        = "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"


	apply_immediately = true
}

Using AWS Console

01 Sign in to AWS Management Console.

02 To create your own customer-provided Customer Master Key (CMK), navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region of your RDS database instance).

05 Click Create Key button from the dashboard top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new CMK, then use the Add tag button to create any required tag sets (optional). Click Next to continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Next to continue.

09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations. (Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt and decrypt your Amazon RDS databases. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.

10 For Step 5 Review and edit key policy, review the key policy, then click Finishto create your new KMS Customer Master Key (CMK). Once the key is successfully created, the KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

11 Once your new Customer Master Key (CMK) has been created, navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

12 In the navigation panel, under Amazon RDS, choose Databases.

13 Select the Amazon RDS database instance that you want to encrypt using KMS CMKs, choose Actions, and select Take snapshot.

14 On the Take DB snapshot setup page, enter a name for the instance snapshot in the Snapshot namebox, and choose Take snapshot (the backup process may take a few minutes and depends on your RDS instance storage size).

15 Select the newly created database instance snapshot, choose Actions, and select Copy snapshot to create a new copy of the selected snapshot.

16 On the Copy snapshot setup page, perform the following actions:

  1. From the Destination Region dropdown list, select the region where you want to save the copy of the selected snapshot.
  2. In the New DB Snapshot Identifier box, type a unique name for the new database snapshot.
  3. (Optional) From Target Option Group (Optional) dropdown list, select an option group to associate with your target database snapshot.
  4. (Optional) Select the Copy Tags checkbox if you want your new database snapshot to have the same tags as the source snapshot.
  5. In the Encryption section, select the Enable Encryption checkbox to enable encryption at rest for the new Amazon RDS database snapshot. Select the newly created KMS Customer Master Key (CMK) from the Master key dropdown list to use your own KMS key or choose Enter a key ARN and provide the Amazon Resource Name (ARN) of your customer-managed Customer Master Key (CMK) in the ARN configuration box.
  6. Choose Copy snapshot to confirm the action. The process will take a couple of minutes to complete. Once created, you should see the encrypted Amazon RDS database snapshot (copy) in the Manual snapshots list.

17 Select the new snapshot copy (encrypted), choose Actions, and select Restore snapshot to restore the encrypted snapshot to a new Amazon RDS database instance.

18 On the Restore snapshot setup page, enter a unique name for your new, encrypted database instance in the DB instance identifier box. If required, configure the instance network and connectivity, instance type/class, storage and availability settings. Choose Restore DB instance to create your new Amazon RDS database instance.

19 As soon as your new database instance is ready (i.e. instance status becomes Available), you can update your database application configuration to refer to the endpoint of the new (encrypted) database instance.

20 (Optional) You can now delete the source database instance to stop incurring charges for the RDS resource. To remove the source instance from your AWS cloud account, perform the following actions:

  1. Select the unencrypted database instance that you want to delete, choose Actions, and select Delete.
  2. In the Delete <instance-name> instance? confirmation box, select Create final snapshot?, type delete me into the required field, then choose Delete to confirm your action.

21 Repeat steps no. 14 – 21 for each Amazon RDS database instance that you want to reconfigure, available within the current AWS region.

22 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Amazon RDS databases using the KMS API. Create a new policy document (JSON format), name the file rds-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "s3-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. rds-cmk-policy.json) as value for the --policy parameter, to create your new customer-provided Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'KMS CMK for encrypting Amazon RDS databases'
  --policy file://rds-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/S3DataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

05 Run create-db-snapshot command (OSX/Linux/UNIX) to create a new snapshot for the Amazon RDS database instance that you want to encrypt using your own Customer Master Key (CMK):

aws rds create-db-snapshot
  --region us-east-1
  --db-snapshot-identifier cc-project5-mysql-database-snapshot
  --db-instance-identifier cc-project5-mysql-database

06 The command output should return the metadata of the new database instance snapshot:

{
	"DBSnapshot": {
		"Engine": "mysql",
		"Status": "creating",
		"AvailabilityZone": "us-east-1a",
		"ProcessorFeatures": [],
		"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-project5-mysql-database-snapshot",
		"PercentProgress": 0,
		"MasterUsername": "ccadmin",
		"Encrypted": false,
		"LicenseModel": "general-public-license",
		"StorageType": "gp2",
		"VpcId": "vpc-abcdabcd",
		"DBSnapshotIdentifier": "cc-project5-mysql-database-snapshot",
		"InstanceCreateTime": "2021-05-19T07:25:18.958Z",
		"OptionGroupName": "default:mysql-5-6",
		"AllocatedStorage": 20,
		"EngineVersion": "5.6.40",
		"SnapshotType": "manual",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCD",
		"IAMDatabaseAuthenticationEnabled": false,
		"Port": 3306,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

07 Run copy-db-snapshot command (OSX/Linux/UNIX) to copy the specified database snapshot and encrypt its data using your newly created customer-managed Customer Master Key (CMK):

aws rds copy-db-snapshot
  --region us-east-1
  --source-db-snapshot-identifier cc-project5-mysql-database-snapshot
  --target-db-snapshot-identifier cc-encrypted-project5-mysql-database-snapshot
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

08 The command output should return the metadata of the new Amazon RDS database snapshot:

{
	"DBSnapshot": {
		"MasterUsername": "ccadmin",
		"LicenseModel": "general-public-license",
		"InstanceCreateTime": "2021-05-18T15:31:20.677Z",
		"Engine": "mysql",
		"VpcId": "vpc-abcdabcd",
		"SourceRegion": "us-east-1",
		"AllocatedStorage": 20,
		"Status": "creating",
		"PercentProgress": 0,
		"SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-project5-mysql-database-snapshot",
		"DBSnapshotIdentifier": "cc-encrypted-project5-mysql-database-snapshot",
		"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-encrypted-project5-mysql-database-snapshot",
		"EngineVersion": "8.0.20",
		"ProcessorFeatures": [],
		"OptionGroupName": "default:mysql-8-0",
		"AvailabilityZone": "us-east-1a",
		"StorageType": "gp2",
		"Encrypted": true,
		"IAMDatabaseAuthenticationEnabled": false,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCD",
		"SnapshotType": "manual",
		"Port": 3306,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

09 Run restore-db-instance-from-db-snapshot command (OSX/Linux/UNIX) to restore the encrypted snapshot created at the previous step to a new Amazon RDS database instance:

aws rds restore-db-instance-from-db-snapshot
  --region us-east-1
  --db-instance-identifier cc-encrypted-project5-mysql-database
  --db-snapshot-identifier cc-encrypted-project5-mysql-database-snapshot

10 The command output should return the configuration metadata for the new RDS database instance:

{
	"DBInstance": {
		"PubliclyAccessible": true,
		"MasterUsername": "ccadmin",
		"MonitoringInterval": 0,
		"LicenseModel": "general-public-license",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			}
		],
		"InstanceCreateTime": "2021-05-12T08:00:00.677Z",
		"CopyTagsToSnapshot": true,
		"OptionGroupMemberships": [
			{
				"Status": "in-sync",
				"OptionGroupName": "default:mysql-5-7"
			}
		],
		"Engine": "mysql",
		"MultiAZ": false,
		"DBSecurityGroups": [],
		"DBParameterGroups": [
			{
				"DBParameterGroupName": "default.mysql5.7",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"PerformanceInsightsEnabled": true,
		"AutoMinorVersionUpgrade": true,
		"PreferredBackupWindow": "06:02-06:32",
		"DBSubnetGroup": {
			"Subnets": [
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1d"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1e"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcdabcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1b"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-12341234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1a"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1f"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1c"
					}
				}
			],
			"DBSubnetGroupName": "default-vpc-abcdabcd",
			"VpcId": "vpc-abcdabcd",
			"DBSubnetGroupDescription": "Created from the AWS Management Console",
			"SubnetGroupStatus": "Complete"
		},
		"ReadReplicaDBInstanceIdentifiers": [],
		"AllocatedStorage": 20,
		"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
		"BackupRetentionPeriod": 0,
		"PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
		"Endpoint": {
			"HostedZoneId": "ABCDABCDABCD",
			"Port": 3306,
			"Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
		},
		"DBInstanceStatus": "available",
		"IAMDatabaseAuthenticationEnabled": true,
		"EngineVersion": "5.7.30",
		"DeletionProtection": true,
		"AvailabilityZone": "us-east-1a",
		"DomainMemberships": [],
		"StorageType": "gp2",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
		"CACertificateIdentifier": "rds-ca-2019",
		"StorageEncrypted": true,
		"AssociatedRoles": [],
		"DBInstanceClass": "db.t3.medium",
		"DbInstancePort": 0,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

11 As soon as your new database instance is ready, you can update your database application configuration to refer to the endpoint of the new (encrypted) database instance.

12 (Optional) You can choose to delete the source database instance. Run delete-db-instance command (OSX/Linux/UNIX) using the name of the source database instance as the identifier parameter, to remove specified RDS instance from your AWS cloud account:

aws rds delete-db-instance
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --final-db-snapshot-identifier cc-project5-mysql-database-final-snapshot

13 The command output should return the delete-db-instance command request metadata:

{
	"DBInstance": {
		"PubliclyAccessible": true,
		"MasterUsername": "ccadmin",
		"MonitoringInterval": 0,
		"LicenseModel": "general-public-license",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			}
		],
		"InstanceCreateTime": "2021-05-12T08:00:00.677Z",
		"CopyTagsToSnapshot": true,
		"OptionGroupMemberships": [
			{
				"Status": "in-sync",
				"OptionGroupName": "default:mysql-5-7"
			}
		],
		"Engine": "mysql",
		"MultiAZ": false,
		"DBSecurityGroups": [],
		"DBParameterGroups": [
			{
				"DBParameterGroupName": "default.mysql5.7",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"PerformanceInsightsEnabled": true,
		"AutoMinorVersionUpgrade": true,
		"PreferredBackupWindow": "06:02-06:32",
		"DBSubnetGroup": {
			"Subnets": [
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1d"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1e"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcdabcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1b"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-12341234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1a"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1f"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1c"
					}
				}
			],
			"DBSubnetGroupName": "default-vpc-abcdabcd",
			"VpcId": "vpc-abcdabcd",
			"DBSubnetGroupDescription": "Created from the AWS Management Console",
			"SubnetGroupStatus": "Complete"
		},
		"ReadReplicaDBInstanceIdentifiers": [],
		"AllocatedStorage": 20,
		"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
		"BackupRetentionPeriod": 0,
		"PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
		"Endpoint": {
			"HostedZoneId": "ABCDABCDABCD",
			"Port": 3306,
			"Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
		},
		"DBInstanceStatus": "available",
		"IAMDatabaseAuthenticationEnabled": true,
		"EngineVersion": "5.7.30",
		"DeletionProtection": false,
		"AvailabilityZone": "us-east-1a",
		"DomainMemberships": [],
		"StorageType": "gp2",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
		"CACertificateIdentifier": "rds-ca-2019",
		"StorageEncrypted": false,
		"AssociatedRoles": [],
		"DBInstanceClass": "db.t3.medium",
		"DbInstancePort": 0,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

14 Repeat steps no. 5 – 13 for each Amazon RDS database instance that you want to reconfigure, available in the selected AWS region.

15 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date May 4, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

RDS Encrypted With KMS Customer Master Keys

Risk Level: High